DFARS 7012 FAQ

DFARS 252.204-7012, titled “Safeguarding Covered Defense Information and Cyber Incident Reporting”, is a clause in the Defense Federal Acquisition Regulations Supplement (DFARS) that describes how Covered Defense Information (CDI) should be protected inside your system and inside the cloud.

What Is CDI?

CDI, or Covered Defense Information, means unclassified controlled technical information or other information that requires safeguarding or dissemination controls. CDI is either marked (or otherwise identified) or developed/received in support of a contract. The complete definition is in the language of the DFARS 7012 clause.

Who Decides What Is CDI?

The government’s contracting officer has the responsibility for determining what data is and isn’t CDI.

Tips For Identifying CDI

Here are some facts to help you understand what might and might not be CDI.

Where is CDI really defined?

DFARS 252.204-7012(a) defines CDI as unclassified controlled technical information or other Controlled Unclassified Information (CUI) that requires safeguarding or dissemination controls. This means you have to understand both unclassified controlled technical information and CUI.

What is Controlled Unclassified Information (CUI) and where is it defined?

Controlled Unclassified Information, or CUI, is defined by the National Archives as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” See the National Archives CUI Registry for more information about what is and is not CUI.

What is controlled technical information and where is it defined?

DFARS 252.204-7012(a) defines controlled technical information as technical information with military or space application that is subject to controls – assuming that it isn’t already lawfully publicly available without restrictions. The DFARS 7012 clause also says controlled technical information meets the criteria for distribution statements B through F in DoD Instruction 5230.24.

What is DoD Instruction 5230.24 and what are distribution statements B through F?

DoD Instruction 5230.24 provides the policies and rules for marking and managing technical documents to denote the extent to which they are available for secondary distribution, release, and dissemination without additional approvals or authorizations. It also establishes a standard framework and markings for managing, sharing, safeguarding, and disseminating technical documents in accordance with policy and law.

Does CDI come from the government, or might I be creating it?

You might be creating it. The DFARS 7012 clause says CDI can be “collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.”

Who determines what is and isn’t CDI?

The government’s contracting officer has the responsibility for determining what data is and isn’t CDI.

DFARS 7012 Glossary

CDI: Covered Defense Information – unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at http://www.archives.gov/cui/registry/category-list.html, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is (1) Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or (2) Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

CTI: Controlled Technical Information – information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. The term does not include information that is lawfully publicly available without restrictions.

CUI: Controlled Unclassified Information.

Cyber Incident: actions taken through the use of computer networks that result in a compromise or an actual or potentially adverse effect on an information system and/or the information residing therein.

Security Control: A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality, integrity, and availability of its information and to meet a set of defined security requirements.